Hello, welcome to the Wednesday, May 8, 2019 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Renato today published an interesting post about an exploit that hit one of his Jenkins honeypots. Jenkins is an automation server that's very

popular in the DevOps community. It essentially allows you to automate building large software

projects. The vulnerability being exploited here is in the Stapler Web web framework. Jenkins is written in Java and so is

stapler. Not really deseralization vulnerable in this case, but instead the issue with Jenkins

is that Jenkins is able to execute commands on the system in order to compile or run various

scripts.

Well, there are certain Java objects that were not supposed to be accessible via the web

interface, but by using crafted URLs, it was pretty straightforward due to this vulnerability that was discovered

in December. In March, a proof-of-concept exploit was released and this exploit is what

Renato found in his honeypot. Now the end goal in this case was, of course, to install a crypto coin miner.

A couple interesting little tidbits here. First of all, this particular exploit script used

a custom UPS unpacker. UPS is very, very old and often used by Malver, in particular

since it's kind of easy to sort of modify

UPS-packed files a little bit, and then they won't necessarily be recognized as

UPX-packed files like in this case. Also, the name of the particular exploit script being

used here is Kerber rods, similar to the Kerberos

protocol.

Not sure if they're trying to fit in here with systems binaries.

Complex web-based systems like Jenkins should probably never really be exposed to the

public internet, but even if you don't, make sure you are keeping

...